Mutual TLS (mTLS)

Also known as: Two-way TLS, Client-authenticated TLS

An extension of TLS in which both the client and the server present X.509 certificates so that each side cryptographically authenticates the other.

Mutual TLS is a variant of the TLS handshake where the server requests a client certificate in addition to presenting its own. After validating the certificate chain and verifying possession of the private key, both endpoints establish an encrypted, mutually authenticated session. It is widely used for machine-to-machine and service-to-service communication in zero-trust architectures, API gateways, service meshes, and VPN replacements. Defences and hygiene include short-lived certificates issued by a private CA, automated rotation, OCSP or CRL checking, and strict identity matching to deny tokens or bearer credentials when the client certificate does not match.

Examples

A Kubernetes service mesh that issues SPIFFE identities so every pod-to-pod call uses mTLS.
An API gateway that requires partner systems to present a client certificate signed by an internal CA.

Mutual TLS (mTLS)

Examples

Related terms

TLS (Transport Layer Security)

SSL (Secure Sockets Layer)

X.509 Certificate

Public Key Infrastructure (PKI)

Certificate Authority (CA)

Zero Trust Network

Definition

Examples

Related terms

TLS (Transport Layer Security)

SSL (Secure Sockets Layer)

X.509 Certificate

Public Key Infrastructure (PKI)

Certificate Authority (CA)

Zero Trust Network